Design question

[Dan Letkeman]

Hello,

I'm new to using radius servers and I have a few questions on best
practices and design.

We primarily use windows 7 on the machines that will authenticate, and
they are all connected to cisco switches and access points.  If I
understand things correctly I have the option of authenticating based
on users, certificates or users and certificates.  In our environment
I don't see the need to add users into the mix as almost all of the
machines are shared machines where multiple users will authenticate on
the same machines.  We also push applications to the machines when
users are not logged into them so we need the computer to authenticate
on its own when it boots up.

>From what I understand I need to create myself a certificate and
install that certificate into the freeradius server and into each of
my client computers.  Then I need to configure my switches to connect
use the freeradius server to allow the traffic through when the client
computer wants to authenticate to the network.  As far as the switches
goes I don't have any questions, its fairly straight forward.

My questions are as follows:

Which EAP type should I use if I only want the computers to
authenticate using certificates?  EAP-TLS?

I am guessing I should be using WPA2/Enterprise on the clients for the
802.1x authentication on the Windows 7 clients?  And set it to use
computer authentication only?

Do I need a signed third party certificate or can I use a self signed one?

Could a user not just export the certificate from the computer and
import it into there own computer, configure there network settings
and get on the network?  Or is there a mechanism to keep people from
doing this?  Perhaps a password encrypted in the certificate?

Is there anything else I am missing?

Thanks,
Dan.